Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 156c196f authored by Eric W. Biederman's avatar Eric W. Biederman Committed by Pablo Neira Ayuso
Browse files

netfilter: x_tables: Pass struct net in xt_action_param 



As xt_action_param lives on the stack this does not bloat any
persistent data structures.

This is a first step in making netfilter code that needs to know
which network namespace it is executing in simpler.

Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 6aa187f2

include/linux/netfilter/x_tables.h

+2 −1
Original line number Original line Diff line number Diff line
@@ -13,6 +13,7 @@ 
 * @target:	the target extension

 * @target:	the target extension

 * @matchinfo:	per-match data

 * @matchinfo:	per-match data

 * @targetinfo:	per-target data

 * @targetinfo:	per-target data

 * @net		network namespace through which the action was invoked

 * @in:		input netdevice

 * @in:		input netdevice

 * @out:	output netdevice

 * @out:	output netdevice

 * @fragoff:	packet is a fragment, this is the data offset

 * @fragoff:	packet is a fragment, this is the data offset
@@ -24,7 +25,6 @@ 
 * Fields written to by extensions:

 * Fields written to by extensions:

 *

 *

 * @hotdrop:	drop packet if we had inspection problems

 * @hotdrop:	drop packet if we had inspection problems

 * Network namespace obtainable using dev_net(in/out)

 */

 */

struct xt_action_param {

struct xt_action_param {

	union {

	union {
@@ -34,6 +34,7 @@ struct xt_action_param { 
	union {

	union {

		const void *matchinfo, *targinfo;

		const void *matchinfo, *targinfo;

	};

	};

	struct net *net;

	const struct net_device *in, *out;

	const struct net_device *in, *out;

	int fragoff;

	int fragoff;

	unsigned int thoff;

	unsigned int thoff;

include/net/netfilter/nf_tables.h

+1 −0
Original line number Original line Diff line number Diff line
@@ -30,6 +30,7 @@ static inline void nft_set_pktinfo(struct nft_pktinfo *pkt, 
				   const struct nf_hook_state *state)

				   const struct nf_hook_state *state)

{

{

	pkt->skb = skb;

	pkt->skb = skb;

	pkt->xt.net = state->net;

	pkt->in = pkt->xt.in = state->in;

	pkt->in = pkt->xt.in = state->in;

	pkt->out = pkt->xt.out = state->out;

	pkt->out = pkt->xt.out = state->out;

	pkt->hook = pkt->xt.hooknum = state->hook;

	pkt->hook = pkt->xt.hooknum = state->hook;

net/bridge/netfilter/ebtables.c

+1 −0
Original line number Original line Diff line number Diff line
@@ -200,6 +200,7 @@ unsigned int ebt_do_table(struct sk_buff *skb, 
	struct xt_action_param acpar;

	struct xt_action_param acpar;





	acpar.family  = NFPROTO_BRIDGE;

	acpar.family  = NFPROTO_BRIDGE;

	acpar.net     = state->net;

	acpar.in      = state->in;

	acpar.in      = state->in;

	acpar.out     = state->out;

	acpar.out     = state->out;

	acpar.hotdrop = false;

	acpar.hotdrop = false;

net/ipv4/netfilter/arp_tables.c

+1 −0
Original line number Original line Diff line number Diff line
@@ -285,6 +285,7 @@ unsigned int arpt_do_table(struct sk_buff *skb, 
	 */

	 */

	e = get_entry(table_base, private->hook_entry[hook]);

	e = get_entry(table_base, private->hook_entry[hook]);





	acpar.net     = state->net;

	acpar.in      = state->in;

	acpar.in      = state->in;

	acpar.out     = state->out;

	acpar.out     = state->out;

	acpar.hooknum = hook;

	acpar.hooknum = hook;

net/ipv4/netfilter/ip_tables.c

+1 −0
Original line number Original line Diff line number Diff line
@@ -315,6 +315,7 @@ ipt_do_table(struct sk_buff *skb, 
	acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;

	acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;

	acpar.thoff   = ip_hdrlen(skb);

	acpar.thoff   = ip_hdrlen(skb);

	acpar.hotdrop = false;

	acpar.hotdrop = false;

	acpar.net     = state->net;

	acpar.in      = state->in;

	acpar.in      = state->in;

	acpar.out     = state->out;

	acpar.out     = state->out;

	acpar.family  = NFPROTO_IPV4;

	acpar.family  = NFPROTO_IPV4;